HOW TO ENSURE ISO 26262 FOR HIGHLY … · quality in the driver’s seat solutions for integrated quality assurance of embedded automotive software how to ensure iso 26262 for highly

QUALITY IN THE DRIVER’S SEAT SOLUTIONS FOR INTEGRATED QUALITY ASSURANCE OF EMBEDDED AUTOMOTIVE SOFTWARE

HOW TO ENSURE ISO 26262

FOR HIGHLY COMPLEX SOFTWARE MODELS

Dr. Heiko Doerr

2

AGENDA

Integration of ISO-26262-6 SW process into model-based development

Model testing as dedicated process steps

Architectural complexity

Handling of model quality

Summary and conclusion

Disclaimer: Examples are using the Simulink / Stateflow approach to model-based SW development in the Automotive domain. Results can be transferred to other modeling languages and paradigms.

MODEL ENGINEERING SOLUTIONS GMBH | HOW TO ENSURE ISO 26262 | May 2015

3

MODEL-BASED DEVELOPMENT

Functionality is realized as a model

Large models consist of more than 5.000 blocks

Generation of production code from the model

ISO 26262 recommends model-based development and requires a number of quality assurance measures


Model-based development has become the dominant approach to SW development in the automotive domain.

Traditional software development Model-based software development

4

Implementation (Target) Code

V-MODEL FOR MODEL-BASED DEVELOPMENT

Requirements specification

System and function design

System integration

Requirements

Implementation model

Software integration

Automatic code generation

(RCP) Code


Behavioral model

Physical model

Models contribute to various tasks during development. Model-based SW development focusses on the generation of code.

5

ISO 26262-6 DEVELOPMENT PROCESS


The ISO 26262-6 reference model schedules validation at several phases. Model-based development offers frontloading and reuse of test artifacts.

6-7 Software architectural design

6-10 Software integration and

testing

6-6 Specification of software safety requirements

6-11 Verification of software safety

requirements

6-8 Software unit design and

implementation

6-9 Software unit testing

Requirements traceability

6

ALLOCATION OF ISO-26262-6 PHASES

Requirements specification

System and function design

System integration

SW integration


SW-safety activities are covered by model-based development process.

Implement.

6-10 Integration and testing

6-11 Verif. of SW safety reqs

6-8 Unit design & Implementation 6-9 Unit testing

6-7 Architec- tural design

6-6 Safety requirements

7

ISO 26262-6 REQUIREMENTS ON UNIT TESTING


The standard highly recommends requirements driven tests. Automated generation of test cases from models is not sufficient.

8

SOFTWARE INTEGRATION AND (UNIT) TESTING


Model

Test input data

C Code (Target)

C Code (Host)

Software-in-the-Loop

Processor-in-the-Loop

Model-in-the-Loop

Requirements driven tests continuously assure safety requirements. Comprehensive model testing reduces overall efforts by frontloading.

SW safety Requirements

9

WHAT IS THE MES TEST MANAGER?

Test Catalog (Stimuli & Test Results)

Coverage & Traceability of Requirements

Model Coverage & Code Coverage

Metrics

TEST DOCUMENTATION

TEST RESULTS Code

Coverage Model

Coverage

Zeit

Schwelle

ASSESSMENT FRAMEWORK

Requirements

Code Simulation

Model Simulation TEST

STIMULI

TEST SPECIFICATION


A professional model test management framework which supports requirements-based unit testing of Simulink® models

10

TEST DATA DEFINITION

Multiple ways to define test sequences

Import (measured) data as test data Support of different file formats (mat, csv, Excel, … files)

Import via command line or GUI

Systematic test definition (requirements based) Classification tree method (equivalence class method)

Integration of CTE/XL Standard/Professional Graphical test specification

Formal test specification (requirements based) Model Test Case Designer (MTCD) integrated into MTest Script-based test specification

Further (internal) specification methods TTCN derivation

10 10


11

TEST CASE DEFINITION WITH MTCD

MTCD (formal test case definition language development by MES)


12

TEST CASE DEFINITION WITH CTE


13

13

TEST EXECUTION – AUTOMATIC SIMULATION

Test execution process Loading test setup

Loading simulation data (inputs / test description)

Setting simulation parameters

Executing test bed with data (>> sim(…))

Saving simulation results (outputs)

Support for different simulation modes Model simulation Code simulation etc.

13


14

14

TEST ASSESSMENTS

Test assessments Evaluation of requirements based on input/output signals

Assessments: implemented as m-files

Types of assessments Global assessment: applicable to all test sequences

Local assessment: applicable to one test sequences

Automatic evaluation One result for each assessment

per test sequence Passed: Requirement passed Failed: Requirement failed Not Applicable: Req. not triggered

Aggregation for each test sequence

Most critical result is sequence result

14


15

AUTOMATED TEST ASSESSMENTS

Assessment function acts as a check or reference to a software requirement

I/O variables are evaluated by the assessment for each test sequence

Requirement

In-Signals

Assessment Function

Check

Out-Signals

Parameter

preprocessing

Local-Signals

Result

? Result:

? ? ? ?

? ? ?

? ? ?

? ?

? ?

? ?

m Assessments

n Test Sequence


16

EXAMPLE: AUTOMATED TEST ASSESSMENT

Test and assessment for requirement REQ:TVC_001

“Absolute tank volume should never be higher than

80 liters (MaxVolume)”


17

TESTING OF LARGE MODELS

Reduce manual tasks to set-up, test case specification and evaluation

Use back-to-back test to maintain safety requirements

Simplify test evaluation by automated assessments validating safety invariants


17 17

Model testing requires a high degree of automation to cope with large models.

18

ISO 26262-6 REQUIREMENTS ON MODELLING


Implementation of modelling (and coding) guidelines is “STRONGLY RECOMMENDED”.

19

MODEL COMPLEXITY ANALYSIS


Model architecture analysis identifies complex model parts easily.

20

SW-UNITS AS ATOMIC ARCHITECTURAL ENTITY

SW units are the atomic entity for development

quality assurance

delivery

Early definition of terms is essential for definition of development process

Early definition is essential for architectural design

ISO 26262 Part 6:


Definition of a SW unit is essential for safety activities, because …

21

SW-UNITS AS ATOMIC ARCHITECTURAL ENTITY


Test execution

Test specifications

Structural elements for SW architecture

Libraries

Configuration management

Version management

Process definition SW Unit

Requirements

Definition of a SW unit faces conflicting interests.

22

SW ARCHITECTURE VS MODEL STRUCTURE


The SW architecture will be populated by subsystems from models.

SW Architecture

Model Structure

24

INGREDIENTS OF SW ARCHITECTURE


SW units will be represented by selected subsystems.

SW Architect.

Model Structure

SW Component SW Unit Subsystem

27

ARCHITECTURE ANALYSIS FOR LARGE MODELS

Clear visualization of model architecture and complexity

Delivers realistic figures on model size

Better estimates for the allocation of resources for development, testing, and review of models

Detection of unbalanced functionality and models

Guidance to refactoring and creation of libraries

Detection of model clones


Architecture analysis is essential to control complexity in large models.

28

MODELING GUIDELINES

Guidelines for …

unique look and feel support readability and better detection of errors in the model

allowed sub-sets of modeling language prevent from the use of risky features

consistent configuration of tools and models avoid common and known errors

code generator and compiler settings prevent from unintended use of generation options


Modeling guidelines capture best practices, contribute to model quality and implementation of safety-related software.

29

SPECIFIC EXAMPLE OF A ISO 26262 GUIDELINE


Readability is a pre-requisite for safety.

falsch

falsch

30

SPECIFIC EXAMPLE OF A ISO 26262 GUIDELINE


Int16, 2^-17,[-0.25..0.24]

UInt16 2^-10 [0..63.999]

Inherited, SAT:[0..63]

UInt16, 2^-7, [0..511.9]

Strong data typing is by intention not supported by Simulink/Stateflow. Specific checks required to assure the requested property.

36

GUIDELINE CHECKING FOR LARGE MODELS


Function modeler

Project configuration

Models

Reports

Quality manager Authors/Reviewer

Change Control Board Company Guidelines

Automation and organizational support is required to efficiently maintain coherent requirements on model quality.

37

SUMMARY – QUALITY MEASURES FOR ISO 26262-6


Implementation model

Functional and structural testing

Back-to-back test (autocode vs. IM)

Autocode

Static analysis of code

Requirements

Requirements review

Fixed-point arithmetic

Regression test

A comprehensive set of automatic quality measures contribute to the implementation of ISO 26262-6 in particular for large SW-models.

Physical model

Floating-point arithmetic

Model review

38

CONCLUSION

Increase of productivity via code generation Safe up to 50% of implementation

time

Significant improvement of software quality Up to 40% less software errors

Reduction of development time and costs Safe up to 30%


FRONTLOADING OF QUALITY ASSURANCE

CONTRIBUTES TO SAFETY

Model-based SW development can comply with safety requirements. Moreover, it helps to compensate additional safety efforts.

39

CONTACT

MODEL ENGINEERING SOLUTIONS GMBH Mauerstrasse 79 10117 Berlin T: +49 30 2091 6463-o F: +49 30 2091 6463-33 [email protected] www.model-engineers.com


Documents

HOW TO ENSURE ISO 26262 FOR HIGHLY … · quality in the driver’s seat solutions for integrated quality assurance of embedded automotive software how to ensure iso 26262 for highly